From c7c30e390b2d3b4685e847bc097635ee23d2db08 Mon Sep 17 00:00:00 2001 From: beckyvb Date: Thu, 16 Apr 2015 15:26:11 -0400 Subject: [PATCH 1/5] Profile activity: Allow users to curate the activity on their own wall. Add function to check whether a user has permission to delete. Revoke ability for users to delete their own posts on other users' walls. --- .../controllers/class.activitycontroller.php | 60 ++++++++++--------- .../views/activity/helper_functions.php | 13 ++-- 2 files changed, 36 insertions(+), 37 deletions(-) diff --git a/applications/dashboard/controllers/class.activitycontroller.php b/applications/dashboard/controllers/class.activitycontroller.php index ba270c6f18d..7c263f0f52f 100755 --- a/applications/dashboard/controllers/class.activitycontroller.php +++ b/applications/dashboard/controllers/class.activitycontroller.php @@ -150,26 +150,42 @@ public function Index($Filter = FALSE, $Page = FALSE) { $this->Render(); } - public function DeleteComment($ID, $TK, $Target = '') { - $Session = Gdn::Session(); - - if (!$Session->ValidateTransientKey($TK)) + public function DeleteComment($ID, $TK, $Target = '', $profileUserId = '', $insertUserId = '') { + if (!$this->canDelete($ID, $TK, $profileUserId, $insertUserId)) { throw PermissionException(); + } + $this->ActivityModel->DeleteComment($ID); + if ($this->DeliveryType() === DELIVERY_TYPE_ALL) + Redirect($Target); - $Comment = $this->ActivityModel->GetComment($ID); - if (!$ID) - throw NotFoundException(); + $this->Render('Blank', 'Utility', 'Dashboard'); + } - if ($Session->CheckPermission('Garden.Activity.Delete') || $Comment['InsertUserID'] = $Session->UserID) { - $this->ActivityModel->DeleteComment($ID); - } else { + public function canDelete($id, $transientKey, $profileUserId = '', $insertUserId = '') { + $session = Gdn::Session(); + if (!$session->ValidateTransientKey($transientKey)) { throw PermissionException(); } + if (!is_numeric($id)) { + throw Gdn_UserException('Invalid ID'); + } - if ($this->DeliveryType() === DELIVERY_TYPE_ALL) - Redirect($Target); + // User can delete any activity + if ($session->CheckPermission('Garden.Activity.Delete')) { + return true; + } - $this->Render('Blank', 'Utility', 'Dashboard'); + // We're on the user's profile + if ($profileUserId && $session->UserID == $profileUserId && $session->CheckPermission('Garden.Profiles.Edit')) { + return true; + } + + // The user inserted the activity +// if ($insertUserId && $insertUserId == $session->UserID) { +// return true; +// } + + return false; } /** @@ -181,24 +197,10 @@ public function DeleteComment($ID, $TK, $Target = '') { * @param int $ActivityID Unique ID of item to delete. * @param string $TransientKey Verify intent. */ - public function Delete($ActivityID = '', $TransientKey = '') { - $Session = Gdn::Session(); - if (!$Session->ValidateTransientKey($TransientKey)) + public function Delete($ActivityID = '', $TransientKey = '', $profileUserId = '', $insertUserId = '') { + if (!$this->canDelete($ActivityID, $TransientKey, $profileUserId, $insertUserId)) { throw PermissionException(); - - if (!is_numeric($ActivityID)) - throw Gdn_UserException('Invalid activity ID'); - - - $HasPermission = $Session->CheckPermission('Garden.Activity.Delete'); - if (!$HasPermission) { - $Activity = $this->ActivityModel->GetID($ActivityID); - if (!$Activity) - throw NotFoundException('Activity'); - $HasPermission = $Activity['InsertUserID'] == $Session->UserID; } - if (!$HasPermission) - throw PermissionException(); $this->ActivityModel->Delete($ActivityID); diff --git a/applications/dashboard/views/activity/helper_functions.php b/applications/dashboard/views/activity/helper_functions.php index ab9fd6ee9e4..9a62a9f9977 100644 --- a/applications/dashboard/views/activity/helper_functions.php +++ b/applications/dashboard/views/activity/helper_functions.php @@ -50,12 +50,8 @@ function WriteActivity($Activity, &$Sender, &$Session) { ?>
  • IsValid() - && ($Session->UserID == $Activity->InsertUserID - || $Session->CheckPermission('Garden.Activity.Delete')) - ) - echo '
    '.Anchor('×', 'dashboard/activity/delete/'.$Activity->ActivityID.'/'.$Session->TransientKey().'?Target='.urlencode($Sender->SelfUrl), 'Delete').'
    '; + if (ActivityController::canDelete($Activity->ActivityID, $Session->TransientKey(), $Sender->ProfileUserID, $Activity->InsertUserID)) + echo '
    '.Anchor('×', 'dashboard/activity/delete/'.$Activity->ActivityID.'/'.$Session->TransientKey().'?Target='.urlencode($Sender->SelfUrl).'&profileUserId='.$Sender->ProfileUserID.'&insertUserId='.$Activity->InsertUserID, 'Delete').'
    '; if ($PhotoAnchor != '') { ?> @@ -159,8 +155,9 @@ function WriteActivityComment($Comment, &$Sender, &$Session) {
    UserID == $Comment['InsertUserID'] || $Session->CheckPermission('Garden.Activity.Delete')) - echo Anchor(T('Delete'), "dashboard/activity/deletecomment?id={$Comment['ActivityCommentID']}&tk=".$Session->TransientKey().'&target='.urlencode(Gdn_Url::Request()), 'DeleteComment'); + if (ActivityController::canDelete($Comment['ActivityCommentID'], $Session->TransientKey(), $Sender->ProfileUserID, val('InsertUserID', $Comment))) { + echo Anchor(T('Delete'), "dashboard/activity/deletecomment?id={$Comment['ActivityCommentID']}&tk=".$Session->TransientKey().'&target='.urlencode(Gdn_Url::Request()).'&profileUserId='.$Sender->ProfileUserID.'&insertUserId='.val('InsertUserID', $Comment), 'DeleteComment'); + } ?>
    From f7e173c799a3e49de53c7de21c7afb2927a7529d Mon Sep 17 00:00:00 2001 From: beckyvb Date: Thu, 16 Apr 2015 18:08:27 -0400 Subject: [PATCH 2/5] Activity: Remove unnecessary params in controller methods. Move canDelete function to model. --- .../controllers/class.activitycontroller.php | 54 +++++++++---------- .../dashboard/models/class.activitymodel.php | 39 ++++++++++++++ .../views/activity/helper_functions.php | 15 +++--- 3 files changed, 73 insertions(+), 35 deletions(-) diff --git a/applications/dashboard/controllers/class.activitycontroller.php b/applications/dashboard/controllers/class.activitycontroller.php index 7c263f0f52f..1857ee01d39 100755 --- a/applications/dashboard/controllers/class.activitycontroller.php +++ b/applications/dashboard/controllers/class.activitycontroller.php @@ -150,42 +150,31 @@ public function Index($Filter = FALSE, $Page = FALSE) { $this->Render(); } - public function DeleteComment($ID, $TK, $Target = '', $profileUserId = '', $insertUserId = '') { - if (!$this->canDelete($ID, $TK, $profileUserId, $insertUserId)) { - throw PermissionException(); - } - $this->ActivityModel->DeleteComment($ID); - if ($this->DeliveryType() === DELIVERY_TYPE_ALL) - Redirect($Target); - - $this->Render('Blank', 'Utility', 'Dashboard'); - } - - public function canDelete($id, $transientKey, $profileUserId = '', $insertUserId = '') { + public function DeleteComment($ID, $TK, $Target = '') { $session = Gdn::Session(); - if (!$session->ValidateTransientKey($transientKey)) { + if (!$session->ValidateTransientKey($TK)) { throw PermissionException(); } - if (!is_numeric($id)) { + + if (!is_numeric($ID)) { throw Gdn_UserException('Invalid ID'); } - // User can delete any activity - if ($session->CheckPermission('Garden.Activity.Delete')) { - return true; - } + $comment = $this->ActivityModel->GetComment($ID); + $activity = $this->ActivityModel->GetID(val('ActivityID', $comment)); - // We're on the user's profile - if ($profileUserId && $session->UserID == $profileUserId && $session->CheckPermission('Garden.Profiles.Edit')) { - return true; + if (!$activity) { + throw NotFoundException('Activity'); } - // The user inserted the activity -// if ($insertUserId && $insertUserId == $session->UserID) { -// return true; -// } + if (!$this->ActivityModel->canDelete($activity)) { + throw PermissionException(); + } + $this->ActivityModel->DeleteComment($ID); + if ($this->DeliveryType() === DELIVERY_TYPE_ALL) + Redirect($Target); - return false; + $this->Render('Blank', 'Utility', 'Dashboard'); } /** @@ -197,8 +186,17 @@ public function canDelete($id, $transientKey, $profileUserId = '', $insertUserId * @param int $ActivityID Unique ID of item to delete. * @param string $TransientKey Verify intent. */ - public function Delete($ActivityID = '', $TransientKey = '', $profileUserId = '', $insertUserId = '') { - if (!$this->canDelete($ActivityID, $TransientKey, $profileUserId, $insertUserId)) { + public function Delete($ActivityID = '', $TransientKey = '') { + $session = Gdn::Session(); + if (!$session->ValidateTransientKey($TransientKey)) { + throw PermissionException(); + } + + if (!is_numeric($ActivityID)) { + throw Gdn_UserException('Invalid ID'); + } + + if (!$this->ActivityModel->canDelete($this->ActivityModel->GetID($ActivityID))) { throw PermissionException(); } diff --git a/applications/dashboard/models/class.activitymodel.php b/applications/dashboard/models/class.activitymodel.php index 3c3b7dd3e43..6443696b11e 100755 --- a/applications/dashboard/models/class.activitymodel.php +++ b/applications/dashboard/models/class.activitymodel.php @@ -479,6 +479,45 @@ public function GetNotifications($NotifyUserID, $Offset = '0', $Limit = '30') { return $Result; } + + /** + * @param $activity + * @return bool + */ + public static function canDelete($activity) { + $session = Gdn::Session(); + + $profileUserId = val('ActivityUserID', $activity); +// $insertUserId = val('InsertUserID', $activity); + $notifyUserId = val('NotifyUserID', $activity); + + // User can delete any activity + if ($session->CheckPermission('Garden.Activity.Delete')) { + return true; + } + + $notifyUserIds = array(ActivityModel::NOTIFY_PUBLIC); + if (Gdn::Session()->CheckPermission('Garden.Moderation.Manage')) { + $notifyUserIds[] = ActivityModel::NOTIFY_MODS; + } + + // Is this a wall post? + if (!in_array($notifyUserId, $notifyUserIds)) { + return false; + } + // Is this on the user's wall? + if ($profileUserId && $session->UserID == $profileUserId && $session->CheckPermission('Garden.Profiles.Edit')) { + return true; + } + + // The user inserted the activity +// if ($insertUserId && $insertUserId == $session->UserID) { +// return true; +// } + + return false; + } + /** * Get notifications for a user since designated ActivityID. * diff --git a/applications/dashboard/views/activity/helper_functions.php b/applications/dashboard/views/activity/helper_functions.php index 9a62a9f9977..e0098ad52d7 100644 --- a/applications/dashboard/views/activity/helper_functions.php +++ b/applications/dashboard/views/activity/helper_functions.php @@ -50,9 +50,9 @@ function WriteActivity($Activity, &$Sender, &$Session) { ?>
  • ActivityID, $Session->TransientKey(), $Sender->ProfileUserID, $Activity->InsertUserID)) - echo '
    '.Anchor('×', 'dashboard/activity/delete/'.$Activity->ActivityID.'/'.$Session->TransientKey().'?Target='.urlencode($Sender->SelfUrl).'&profileUserId='.$Sender->ProfileUserID.'&insertUserId='.$Activity->InsertUserID, 'Delete').'
    '; - + if (ActivityModel::canDelete($Activity)) { + echo '
    '.Anchor('×', 'dashboard/activity/delete/'.$Activity->ActivityID.'/'.$Session->TransientKey().'?Target='.urlencode($Sender->SelfUrl), 'Delete').'
    '; + } if ($PhotoAnchor != '') { ?>
    @@ -102,7 +102,7 @@ function WriteActivity($Activity, &$Sender, &$Session) { if (count($Comments) > 0) { echo '